Re: The goal of pentest by PCI DSS?

[Jerome Athias <jerome.athias () free fr>]

Le dimanche 04 octobre 2009 à 22:41 +0400, Taras a écrit :

> Does this mean that the main aim of pentester by PCI DSS is cardholder
> data?  Or simply aim is to gain access (exploit vulnerabilities) to as
> much systems in CDE as possible? I asked about this because we can gain
> access to for example Oracle DB and do not try to search PANs in it. 
> Or we can gain access to some users workstation and do not try to search
> cardholder data in file system.

(Should be a good question to ask to (my friend? :p) A. Gironda)
For me, (after assuming that "Security is a process, not a product.",
Bruce Schneier), security should be transversal
(http://en.wikipedia.org/wiki/Transversal_line ).

> One more question. Do you use social engineering in pentests by PCI DSS?

A secretary allways love chocolate ;p
If it's a man, well... you should have some nice pictures in your
pocket ;)

> Thanks for answers!
>
> [0]
> https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
> [1]
> https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

/JA


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------